The part that I think is interesting in this is not the attack they used - it’s old and boring. What would be interesting is to combine the attack used against Google and building a fake search engine based on where the user was previously. This attack simply requires that you have your code on whatever site is going to get the traffic. That means that you can XSS a page and if you see the referring URL come from a Google domain you can hijack the traffic when the page unloads.

The problem that Google currently faces with typo domain squatters can mostly be handled by better fraud detection by the domain registrars. What I’m discussing with building a fake search engine is not solvable. Google has bigger issues with people building fake websites and then getting Google to host their ads through Adsense on Google itself. Forget taking over a domain, it’s just not required if people think that whatever domains Google is hosting on it’s ad section is safe - a poor assumption at best.

This entry was posted
on Friday, October 13th, 2006 at 2:34 pm and is filed under XSS, Webappsec.
Responses are currently closed, but you can trackback from your own site.